How to do Subdomain Enumeration

There are three different subdomain enumeration methods: Brute Force, OSINT (Open-Source Intelligence) and Virtual Host.

Subdomain Enumeration

OSINT

SSL/TLS Certificates

Find sub domains by searching the certificate transparency logs:

http://crt.sh/

https://transparencyreport.google.com/https/certificates

Google Dorks

-site:www.poplabsec.com  site:*.poplabsec.com

DNS Brute Force

DNSRecon

./dnsrecon -t brt -d poplabsec.com

dnsrecon

Sublist3r

./sublist3r.py -d poplabsec.com

sublist3r

Virtual Hosts

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.poplabsec.com" -u http://10.10.224.18

FFuF